Key References:

  • GDPR Art. 23
  • Recital 73

Key Elements of Art. 23

  • Rights and freedom are not absolute.
  • Art. 23 lists the criteria based on which Member states may restrict the application of GDPR, including limitations on the rights of data subjects and obligations on controllers. (Note: UDHR Art. 29(2), and ECHR Art. 10(2) provide similar limitations).
  • Art. 23(1) states, in part, that:
    • restrictions may be placed by way of a legislative measure; [legislation recommended but not required]
    • the measures placed are necessary and proportionate in a democratic society; [“necessary and proportionate” is a legal term that the CJEU uses to analyze legal challenges to GDPR and data protection]
    • and meant to safeguard the following,
      • national security;
      • defence;
      • public security;
      • the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
      • other important objectives of general public interest of the Union or of a Member State;
      • the protection of judicial independence and judicial proceedings;
      • the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
      • a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
      • the protection of the data subject or the rights and freedoms of others;
      • the enforcement of civil law claims.
  • GDPR Art. 23(2) states that the legislative measures adopted to restrict the GDPR should be specific and list details under Art.23(2)(a)-(h), such as the scope of restrictions, purpose and categories of processing, risks to data subjects’ rights and freedom, whether data subjects must be notified of the existing restrictions.
  • Recital 73 states that the restrictions introduced by Member states should be in accordance with the Charter and in the European Convention, thereby creating limitations on Member states’ legislations that exempt controllers from the application of GDPR or limit data subjects’ rights.

GDPR Exemptions, Restrictions, and Scope:

  • Art. 23 restrictions deal with activities where the GDPR would normally apply, however exemptions exist for controllers and data subjects. This is not to be confused by activities where GDPR does not normally apply, such as personal or household activity which is outside the GDPR’s scope.
  • Art. 23 restrictions deal with Member state laws that restriction the application of the GDPR. Not to be confused by Art. 18 restriction of processing which is a data subject right to restrict the processing of personal data by a controller.